From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id CD11416C0B; Tue, 09 Dec 2025 12:11:31 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 4D62A16BF8; Tue, 09 Dec 2025 12:11:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-b6-smtp.messagingengine.com (fout-b6-smtp.messagingengine.com [202.12.124.149]) by atuin.qyliss.net (Postfix) with ESMTPS id 1BFBA16BF5 for ; Tue, 09 Dec 2025 12:11:27 +0000 (UTC) Received: from phl-compute-05.internal (phl-compute-05.internal [10.202.2.45]) by mailfout.stl.internal (Postfix) with ESMTP id C393B1D00065; Tue, 9 Dec 2025 07:11:23 -0500 (EST) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-05.internal (MEProxy); Tue, 09 Dec 2025 07:11:23 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm3; t=1765282283; x= 1765368683; bh=426ZDQFbhoPqc/kkG1mVEYFLVV91CUew+y/dd/Rn2+Y=; b=n UO+V6zSob3d6XFtvqIF6FYTl1f0jT2/ro+PwrHEVGxW0NgnjYWnc0p85X1IR5S3D kzfsPHdRqBzuE8wwEwSFpm2KWzwTFhLkO6Eoy332Upq3EZth2iVFTzhGO6mAG9AW oUklLG0GzovIoUFSxk3Whcd7Dr5m7p2M5x4uuyn30U9a5XkgyGO1lpV0LJc9ND0Z 2hitW8Eu1pxPxV5F3leiCCkrhpiQryok/SIE7T9KpfE8QQecKTk8lvbmZ4i3ytYH LMCC9SksSSkesdrj/jxBBlcVyc/1XE7OSbki+YOkUoT/Wmx6nUzLg9HnZqergrKC 1uMDvSzM97gj27BH6k0wQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1765282283; x=1765368683; bh=4 26ZDQFbhoPqc/kkG1mVEYFLVV91CUew+y/dd/Rn2+Y=; b=rEeUf3Fq9CZg2bHYm Y+NHbqqFApOp2Vwh4yNQ7j6SmGLvPia6sk80MIJP5yCTI/VEVfwjzzBbpXvX9yNF frRTwALOFa/fwb/VwclLwq50Iwl8ysyqncqDnY73CIPvDvd/ZFUcKKDr7SSrVpHt q2K0r/ptEMwME17GS++Zw0MGB1RSmgYz0BbPAzvkVa2olUX+jWt3szLADWoMKgiw GKratS0EmzGaZpSVi5yQBZbukWPH10deqjedQX84U/NZdP9itCHirV+Bw2OZuYee bpzl+ZvJNtWZZdb7bjRtOcR0/Ake5h+vI9eOwiQqHSJPwJ2ax7Yjfdy6AnOsbucr GMTaA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdduleehfecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeetlhihshhsrgcu tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeethfegie ffffelteduueeltdelueethfeuteevieetuefggeefuddvlefgtdefvdenucffohhmrghi nhepshhpvggtthhruhhmqdhoshdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurf grrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrdhishdpnhgspghrtghpthht ohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepuggvmhhiohgsvghnohhurh esghhmrghilhdrtghomhdprhgtphhtthhopeguvghvvghlsehsphgvtghtrhhumhdqohhs rdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 9 Dec 2025 07:11:23 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id 2F9A0604E049; Tue, 09 Dec 2025 13:11:22 +0100 (CET) From: Alyssa Ross To: devel@spectrum-os.org Subject: [PATCH v2 2/6] host/rootfs: install shadow Date: Tue, 9 Dec 2025 13:10:21 +0100 Message-ID: <20251209121023.705026-4-hi@alyssa.is> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251209121023.705026-2-hi@alyssa.is> References: <20251209121023.705026-2-hi@alyssa.is> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: M4NPOFBSX5YUUXVMGW6UHZ7HB5Z45ULB X-Message-ID-Hash: M4NPOFBSX5YUUXVMGW6UHZ7HB5Z45ULB X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Demi Marie Obenour X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Busybox's adduser is hardcoded to operate on /etc/passwd and create /etc/passwd+ as a temporary file, which won't work for us with read-only /. Shadow's useradd supports specifying a prefix, so it will be able to operate on /run/etc/passwd and create sibling temporary files. This will let us create new users at runtime. Signed-off-by: Alyssa Ross Message-ID: <20251209085628.603316-2-hi@alyssa.is> --- v2: no change v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251209085628.603316-2-hi@alyssa.is/ host/rootfs/busybox-config | 3 +++ host/rootfs/default.nix | 11 ++++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/host/rootfs/busybox-config b/host/rootfs/busybox-config index f2fd5fca..18687738 100644 --- a/host/rootfs/busybox-config +++ b/host/rootfs/busybox-config @@ -11,6 +11,7 @@ CONFIG_CHATTR n CONFIG_CHCPU n CONFIG_CHMEM n CONFIG_CHOOM n +CONFIG_CHPASSWD n CONFIG_CHRT n CONFIG_COLCRT n CONFIG_COLRM n @@ -57,6 +58,7 @@ CONFIG_LDATTACH n CONFIG_LINUX32 n CONFIG_LINUX64 n CONFIG_LOGGER n +CONFIG_LOGIN n CONFIG_LOOK n CONFIG_LOSETUP n CONFIG_LSATTR n @@ -88,6 +90,7 @@ CONFIG_NAMEI n CONFIG_NOLOGIN n CONFIG_NSENTER n CONFIG_PARTX n +CONFIG_PASSWD n CONFIG_PIPESZ n CONFIG_PIVOT_ROOT n CONFIG_POWEROFF n diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix index abdd8b28..d86d8cc8 100644 --- a/host/rootfs/default.nix +++ b/host/rootfs/default.nix @@ -13,7 +13,7 @@ pkgsMusl.callPackage ( , btrfs-progs, bubblewrap, busybox, cloud-hypervisor, cosmic-files , crosvm, cryptsetup, dejavu_fonts, dbus, execline, foot, fuse3 , iproute2, inotify-tools, jq, kmod, mdevd, mesa, mount-flatpak, s6 -, s6-linux-init, socat, systemd, util-linuxMinimal, virtiofsd +, s6-linux-init, shadow, socat, systemd, util-linuxMinimal, virtiofsd , westonLite, xdg-desktop-portal, xdg-desktop-portal-gtk , xdg-desktop-portal-spectrum-host }: @@ -27,8 +27,8 @@ let packages = [ btrfs-progs bubblewrap cloud-hypervisor cosmic-files crosvm cryptsetup dbus execline fuse3 inotify-tools iproute2 jq kmod mdevd mount-flatpak s6 - s6-linux-init s6-rc socat spectrum-host-tools spectrum-router - util-linuxMinimal virtiofsd xdg-desktop-portal-spectrum-host + s6-linux-init s6-rc shadow socat spectrum-host-tools spectrum-router + virtiofsd xdg-desktop-portal-spectrum-host (foot.override { allowPgo = false; }) @@ -36,6 +36,11 @@ let # Use a separate file as it is a bit too big. extraConfig = builtins.readFile ./busybox-config; }) + + (util-linuxMinimal.overrideAttrs ({ configureFlags ? [], ... }: { + # Conflicts with shadow. + configureFlags = configureFlags ++ [ "--disable-nologin" ]; + })) ]; nixosAllHardware = nixos ({ modulesPath, ... }: { -- 2.51.0